Protected Health Information:
What is PHI?
HIPAA Protected health information (PHI) is any piece of information in an individual’s medical record that was created, used, or disclosed during the course of diagnosis or treatment that can be used to personally identify them. This includes a wide variety of identifiers and different information recorded throughout the course of routine treatment and billing. Collecting PHI is a necessary component of the health care industry, and it needs to be attended to with the proper safeguards.
Below, we’ve listed the 18 types of information that qualify as PHI according to guidance from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). HIPAA protected health information examples include:
- Address (including subdivisions smaller than state such as street address, city, county, or zip code)
- Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers, serial numbers, or license plate numbers
- Device identifiers or serial numbers
- Web URLs
- IP address
- Biometric identifiers such as fingerprints or voice prints
- Full-face photos
- Any other unique identifying numbers, characteristics, or codes
What is ePHI?
Electronic protected health information (ePHI) is any PHI that is created, stored, transmitted, or received electronically. The HIPAA Security Rule has specific guidelines in place that dictate the means involved in assessing ePHI.
Media used to store data, including:
- Personal computers with internal hard drives used at work, home, or while traveling
- External portable hard drives
- Magnetic tape
- Removable storage devices, including USB drives, CDs, DVDs, and SD cards
- Smartphones and PDAs
Means of transmitting data via wi-fi, Ethernet, modem, DSL, or cable network connections including:
- File transfers
PHI and HIPAA
The HIPAA Privacy Rule provides federal protections for PHI that’s held by Covered Entities (CEs) and gives patients rights over that information. The Privacy Rule allows PHI to be disclosed as a result of patient care, but has strict guidelines in place for maintaining the integrity and security of that information while it’s being stored or otherwise processed. There are specific measures within the Rule that require comprehensive administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of PHI is being properly maintained.
Data Storage, Cloud Storage, and ePHI
It’s important to note that HIPAA regulation treats data storage companies as Business Associates (BAs). The regulation accounts for the storage of physical and digital data, meaning that cloud storage services qualify as BAs even if the organization rarely, randomly, or never accesses or views the ePHI that they store.
When dealing with data and cloud storage services, CEs and BAs must have Business Associate Agreements (BAAs) in place. A good BAA should include provisions that clearly delineate liability in the event of a data breach, in addition to the technical, administrative, and physical safeguards that will be put in place to maintain the integrity of PHI.
Compliancy Group Can Help
When it comes to understanding HIPAA, the Privacy and Security Rules are two of the most significant portions of regulation. Each rule requires extensive reporting, tracking, and documentation to accompany their regulatory requirements, making the task of managing an organization’s HIPAA compliance a significantly involved process.
At Compliancy Group, our web-based HIPAA compliance solution, The Guard, simplifies this entire process. The Guard is a total compliance solution built to incorporate the full extent of federal regulation. There’s never an added cost if the regulation changes or expands. Users are notified when policies, procedures, training, and other elements of their compliance are up for review. So monitoring the ongoing status of your organization’s compliance becomes as easy to manage as logging in to The Guard.